Subject Re: [firebird-support] Re: Problem when starting the FB service on Win2003
Author Alexandre Benson Smith
Franky Brandt wrote:
> Hi,
>
> Sorry to jump in but I think 'C:\WINDOWS\system32\lsass.exe' is the sasser
> virus.
> This virus is known for rebooting pc’s so it would be my biggest bet that
> this server is infected with the virus.
>
> There is more info about it here:
> http://forum.avast.com/index.php?topic=4067.msg30673 and on many other sites
>
> Franky
>

Hi Franky !

Thank you for your time.

But I think lsass.exe is a legitimate process, it could be corrupted by
the sasser virus, but the fact that a system has a lsass.exe process is
not a fact that it has sasser. Bu I think the OS are in someway
corrputed (malware, etc.)

look at this excerpt

The Windows operating system provides numerous services that may be
required to support the capabilities of any given run-time image. This
topic contains a summary that relates Windows services to the files that
implement them, and to the components that provide those files. This is
not an exhaustive listing.

Some Windows services run within the context of other processes,
including the following:

* Service Host Process, which is contained in the svchost.exe file
* Windows Service Controller, which is contained in the services.exe
file
* Local Security Authority Subsystem (LSASS), which is contained in
the lsass.exe file

The Service Host Process is a generic host process for services that run
from dynamic-link libraries. The Windows Service Controller is an
application that starts, stops, and interacts with system services.
LSASS manages Windows security mechanisms.

A Windows service that runs within the context of a process may have a
dependency on that process or require that process to run.

The following table lists Windows Services and the components that
provide them.

I have in the past read about it, here is a brief description
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

if lsass.exe is on system32 it could be the legitimate processs, if it
is anywhere else, it's malware.

some more info
http://ask-leo.com/what_are_lsass_lsassexe_and_sasser_and_how_do_i_know_if_im_infected_what_do_i_do_if_i_am.html
http://www.upenn.edu/computing/virus/04/lsass.html
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://wiki.ittoolbox.com/index.php/FAQ:Why_does_my_computer_keep_rebooting_and_saying_something_about_LSASS.EXE_crashing%3F

see you !


--
Alexandre Benson Smith
Development
THOR Software e Comercial Ltda
Santo Andre - Sao Paulo - Brazil
www.thorsoftware.com.br